MPs have recently been calling for content platforms like Facebook, YouTube, Twitter and Google to take action to actively remove offensive content from their networks that may be considered extremist or hateful.

News reports have commented on the comparatively swift action of social media platforms to remove materials that infringe intellectual property rights. Whilst the contrast in reality may not be so stark, this post considers some of the recent legal issues around instances of intermediary liability online relating to intellectual property (“IP”) enforcement and protection and how they might help inform the  debate over a provider’s liability more generally and in relation to offensive content in particular.

Legal Solutions

Central to the issues is the removal of infringing content which has been uploaded to networks by users. The courts have been grappling with these issues in the context of IP infringement for many years and as a result there is now at least some clarity around the circumstances in which platforms like YouTube, eBay and Facebook are required to remove and/or may be liable for content uploaded by their users.

When it comes to online protection of intellectual property the main framework is set out in a number of pieces of UK and European and UK legislation. These include the E-Commerce Directive (and Regulations) (both together ‘The Regulations’) which apply to almost all commercial and publicly accessible websites.

The Regulations provide for certain limitations on a provider’s liability when it comes to illegal/infringing activity taking place on the platform. In essence, these are that if it acts as a mere conduit, is caching, hosting it will be excused if upon obtaining “actual knowledge” or awareness of illegal activities, it  acts expeditiously to remove or to disable access to the information concerned. The notion of ‘actual knowledge’ stops short of the monitoring that MPs are now calling for in relation to extremist and hate speech online.  Up to now ‘actual knowledge’ has meant receiving some kind of notification/ complaint from a rightsholder about infringing material.

In a recent decision, the Italian Courts held that YouTube was merely a passive, neutral host for content and able to take advantage of the above safe harbour regime. The Italian court held that a host could only be considered ‘active’ when it intervenes/ modifies/ takes part in the elaboration of the content hosted on its platform. This means unless there was some kind of modification of the video itself by YouTube, it would not be considered as having an active role.

The notion of ‘actual knowledge’ stops short of the monitoring that MPs are now calling for in relation to extremist and hate speech online.  Up to now ‘actual knowledge’ has meant receiving some kind of notification or complaint from a rightsholder about infringing material.

Who should pay the cost of protection?

The question of who should pay for the related costs of implementing technical protection measures has been visited in the context of blocking injunctions cases.

In Cartier International AG & Ors v British Sky Broadcasting Ltd & Ors  [2016] EWCA Civ 658  (which is subject to an appeal to the Supreme Court at the time of writing) the court concluded that it was entirely reasonable, in the case of ISPs, to expect them to pay the costs associated with implementing mechanisms to block access to sites where infringing content had been made available. In its view the intermediaries make profits from the services which the operators of the target websites use to infringe the intellectual property rights of the rightholders, and the costs of implementing the order can therefore be regarded as a cost of carrying on the ISP’s business.

Whilst the case was limited to the much narrower context of the technical measures required to be put in place to enforce an IP blocking injunction the decision provides some insight into the approach taken by the courts when considering the costs issues.

Technical Solutions

There are already technical solutions deployed in the real online world. For example YouTube’s Content ID is an automated piece of software that scans material uploaded to the site for IP infringement by comparing it against a database of registered IP. The challenge will be how these types of systems can be used by online platform providers to address extremist and similar type speech, or indeed other types of content that may not belong on the network. For online technology companies, the question will be whether they are prepared to take on these burdens and associated risks such as becoming targets for claims about inappropriate censoring and freedom of speech.

Lessons learned

In some ways IP infringement might be considered to involve more of a bright line distinction between infringing and non-infringing content, as well as a less emotive context. While IP enforcement still has grey areas, when considering who should be in control of and the tests applicable for acceptable speech online there is scope for much more blurring of lines. If control is with the ISPs and their technical prowess they will hold significant power to decide how and whether to remove material as extreme or not which is ultimately a subjective decision.

The stakes are arguably much higher and not always just economic. All in all it may be more difficult than might first appear for the legislature to get the balance right.

The post Offensive Online Materials: Lessons from Intellectual Property Infringement appeared first on blogs.

Following draft guidance published late last year, the Article 29 Working Party (WP29) has approved final versions of its guidance on data protection officers (DPOs), data portability, and the identification of a lead supervisory authority under the General Data Protection Regulation (GDPR).

Data Protection Officers

The guidance on DPOs summarises the key requirements under the GDPR. Public authorities and any organisation whose core activities consist of processing special category (sensitive) personal data or that regularly and systematically monitors data subjects on a large scale will need to appoint a DPO. The requirement to appoint a DPO applies to both controllers and processors.

The WP29 provides some guidance on how this should be interpreted. Whilst simply holding special category personal data on employees will not constitute a core function, using that data to provide healthcare services would. For example, that is likely to mean that a number of charities and outreach functions in health and social care will be required to appoint a DPO.

The WP29 goes on to say that “systematic monitoring” is not just limited to online tracking. It would include data-driven marketing, credit scoring, location tracking, CCTV, and using data from connected devices such as wearables, smart meters and home automation.

When considering whether processing is large-scale, relevant factors will include the number of data subjects, the volume of data and the duration of the processing.

Whilst the GDPR states that a DPO can be shared with another organisation (for example within a corporate group) or outsourced to a service provider, the WP29 emphasises that this can only happen where it is done in a way that does not impact upon the duties of the DPO. In particular, the DPO will need to have sufficient knowledge of the organisation, resources and involvement in discussions and decisions relating to the organisation’s handling of personal data.

Finally, the DPO provides some guidance on the requirement that DPOs should not be subject to any conflicts of interest. In particular, the WP29 notes that:

As a rule of thumb, conflicting positions within the organisation may include senior management positions (such as chief executive., chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments), but may also [sic] other roles lower down in the organisational structure.

Data Portability

Data portability is a new right under the GDPR. It applies to personal data processed using automated means (so not paper records), where processing is carried out either on the basis of consent or that it is necessary for the performance of a contract to which the data subject is a party. In short, it is intended to enable a data subject to export their data or easily move it to a third party provider.

The WP29 emphasises that the right of data portability is distinct from the right to make a subject access request. Those rights are different things and can be exercised independently.

Whilst GDPR states that the right of data portability applies to personal data “provided to a controller”, the WP29 interprets this broadly. In particular, the WP29 states that this includes “observed” data – for example, raw data processed by a smart meter, activity logs, history of website usage or search activities. Whilst user profiles created from such data are expressly excluded by the WP29, this interpretation substantially broadens the scope of data that an organisation might have to make available.

The WP29 also gives some guidance on third party personal data, noting that in some circumstances the data to be provided will necessarily include personal data relating to third parties – for example details of bank transfers in relation to bank account transaction histories and details of recipients of emails in relation to a webmail service. However, providing that information to a new data controller does not permit that new data controller to use the third party data for other purposes – for example, for marketing purposes.

In order for organisations to prepare for data portability, there are a number of issues to consider:

• Can a system be implemented to simplify or automate data portability requests?
• How will responsibilities be allocated between joint data controllers?
• Do you need assistance from a data processor to comply with a data portability request? If so, what assistance do you need? Does your contract deal with that?
• What format will data be provided in and what means of transfer will be used (noting the requirement to ensure that any data transfer is secure)?

Lead Supervisory Authority

The final guidance note relates to identifying a controller or processor’s leady supervisory authority. This is relevant not just to multinational organisations, but also to data processors processing personal data on behalf of data controllers that are located in another EU member state.

The GDPR enables organisations to identify a lead supervisory authority when operating in multiple member states. The intention is to simplify an organisation’s dealings with regulators, by appointing one lead regulator that will then liaise as required with regulators in other countries.

The test for identifying the lead supervisory authority is based on the main establishment of the data controller. This is likely to be the place of central administration with authority to implement decisions in relation to data processing activities, or where the main processing takes place. However, the WP29 notes that an organisation/group of companies may have different locations for different data processing activities. It gives the example of a German bank, which has an insurance subsidiary that is headquartered in Austria. In that case, Austria would be the main establishment for processing in relation to insurance services.

The guidance also notes that when dealing with a group of undertakings, there may not be a central place of administration where decision making is delegated to national subsidiaries/branches. In that case, it may not be possible for the group to appoint a lead supervisory authority.

Finally, the guidance emphasises that data processors may need to liaise with multiple supervisory authorities – not just the supervisory authority for the country or region in which they are located, but also the relevant lead supervisory authority for each data controller on behalf of whom they
process personal data. For those data processors that operate internationally, that means that they will need to deal with multiple supervisory authorities, which may create an administrative burden when dealing with, say, a data breach incident.

Where can I download the Article 29 Working Party guidance?

You can download the WP29 guidance on the WP29 website.

To discuss how the GDPR impacts on your organisation and what you should be doing to prepare, please get in touch with me or another member of our Data Protection & Information Law team or visit our GDPR Hub.

The post WP29 publishes finalised guidance on DPOs, data portability and supervisory authorities appeared first on blogs.

As part of its on-going programme of guidance under the General Data Protection Regulation (GDPR), the Article 29 Working Party (WP29) has published draft guidance on data protection impact assessments (DPIAs).

Whilst DPIAs (or PIAs) have been advocated as best practice by the UK’s Information Commissioner’s Office (ICO) for a number of years, anecdotal evidence suggests that not many organisations carry out DPIAs as a matter of routine. The ICO’s current guidance on PIAs is available on the ICO website.

Under the GDPR, DPIAs will mandatory for certain types of processing. The WP29’s draft guidance sets out how the national supervisory authorities intend to interpret the new requirements. The guidance also considers what might be considered “high risk” processing under the GDPR.

What is a DPIA?

A DPIA is a process to help organisations identify, assess and mitigate or minimise privacy risks with data processing activities – for example, the launch of a new product or the adoption of a new practice or policy or system. It is also relevant to decisions to, for example, outsource a service or function to a third party or to undertake internal reorganisations (for example, the centralisation of an HR function or IT systems in a multinational business).

A DPIA is an integral part of privacy by design, another best practice principle adopted by the GDPR, and is a key component in helping an organisation to comply with its obligation to demonstrate with the GDPR. Under the GDPR, a DPIA should set out:

• a description of the envisaged processing operations and the purposes of the processing
• an assessment of the necessity and proportionality of the processing
• an assessment of the risks to the rights and freedoms of data subjects
• the measures envisaged to address the risks and demonstrate compliance with the GDPR

Organisations should have appropriate policies in place within their organisations to ensure that a DPIA is considered in relation to any new processing activities and, where a DPIA is to be performed, how it will be carried out.

The WP29 guidance sets out criteria that organisations can use to assess whether or not a DPIA, or a methodology to carry out a DPIA is sufficiently comprehensive to comply with the GDPR.

In what situations must an organisation undertake a DPIA?

The GDPR requires that organisations carry out a DPIA where the processing is likely to result in a “high risk” to the rights and freedoms of data subjects. The obligation to conduct a DPIA is on the data controller.

The GDPR expressly references the use of new technologies, systematic and extensive evaluation using automated processing, large scale processing of special category (sensitive) personal data and “systematic monitoring of a publicly accessible area on a large scale” as examples of things that might constitute high risk processing. The DPIA should be carried out prior to commencing the processing.

The WP29 guidance expands on this to give some non-exhaustive examples such as credit monitoring, genetic testing, the use of communications or location data, matching or combining datasets, processing data concerning vulnerable data subjects (such as employees), and using innovative technology such as fingerprint recognition.

However, given the benefits, the WP29 also emphasises that a DPIA should be considered whenever an organisation is considering a new project and if the organisation decides not to carry out a DPIA then it should document why.

Do I need to carry out a DPIA for existing processing activities?

No – unless there is a material change in risk. However, given that the WP29 recommends that DPIAs are regularly reviewed (at least every three years), you should plan to carry out a DPIA for existing activities in due course.

When should a DPIA be carried out?

As early as possible in relation to any new project, so that its findings and recommendations can be incorporated into the design of the processing operation. Organisations should also revisit their DPIAs as a project progresses, the issues identified and risk mitigation plans to ensure that they remain up to date.

Who should be involved in producing a DPIA?

If an organisation has a Data Protection Officer (DPO), then the DPO should play a key role in carrying out a DPIA. The WP29 expects that organisations with a DPO will seek the advice of the DPO and document that, and the decisions taken, in the DPIA.

Where data is being processed by a data processor, the processor should assist the data controller in carrying out the DPIA – for example by providing information on the processor’s practices and systems.

Finally, the GDPR requires organisations to “where appropriate” seek the views of data subjects and their representatives. This might require consultation with, for example employees or customers. The WP29 suggests that this could be done in a number of ways – for example:

• an internal or external study
• in the case of employees, formal consultation with staff representatives/unions
• in the case of customers/consumers, a survey sent to prospective customers

The WP29 considers that if organisations decide not to consult with data subjects then they should document why. They should also document the outcome of the consultation, including the reasons for any decision that differs from the views expressed by data subjects.

Is there any requirement to consult with the ICO?

If a DPIA indicates that processing would result in a high risk, and it is not possible to adopt measures to mitigate those risks, then the GDPR requires that organisations consult with the relevant supervisory authority (in the UK, the ICO).

The WP29 gives the example of a proposal to store personal data on laptop computers. If the organisation adopts appropriate data security measures (for example, full disk encryption, access control and secured back-ups), then the risks will have been mitigated and there would be no need to consult with the relevant supervisory authority.

Is there an obligation to publish DPIAs?

In line with the transparency obligations under the GDPR, the WP29 recommends that organisations consider publishing their DPIAs – either in full or by way of a summary. The WP29 emphasises that publishing a DPIA can be helpful in fostering trust, particularly where the processing affects members of the public.

Where can I find the WP29’s draft guidance on DPIAs?

The draft guidance can be downloaded from the WP29 website.

To discuss how the GDPR impacts on your organisation and what you should be doing to prepare, please get in touch with me or another member of our Data Protection & Information Law team or visit our GDPR Hub.

The post Carrying out Privacy Impact Assessments under the GDPR appeared first on blogs.

The WannaCry ransomware attack that sabotaged the IT systems of over 200,000 companies, including parts of the NHS, Telefonica and FedEx, once again underlines the increasing importance of cybersecurity across all employment sectors.

The consequences of such attacks for companies can be devastating, leading to serious long-term economic and reputational harm.

Cybersecurity is no longer simply an IT or data protection issue, but something to be addressed throughout the entire business – from board level right through to temporary workers and contractors.

Cyber Security Breaches Survey 2017

The Department for Culture, Media & Sport published the Cyber Security Breaches Survey 2017 on 19 April. Of the 1,500 UK businesses surveyed, only:-

• 33% have a formal policy covering cybersecurity risks;
• 37% have rules around the encryption of personal data;
• 11% have a cybersecurity incident management plan; and
• 20% have had employees attend cybersecurity training within the last 12 months.

Aside from a lack of awareness of the risks posed by cybersecurity, the findings demonstrate that UK businesses have a lot to do before the General Data Protection Regulation (GDPR) comes into force in May 2018.

The GDPR imposes a number of new requirements in relation to data protection, including an increased emphasis on transparency and accountability, requiring organisations to demonstrate that they comply with the GDPR. For cybersecurity, this means having in place appropriate IT security, staff training and awareness and systems to ensure that security breaches are reported to regulators within 72 hours. The GDPR also provides regulators with enhanced powers, including much broader authority to issue fines.

My colleague Martin Sloan has written about why the GDPR means that cybersecurity should be a board level issue.

Brodies GDPR hub has more information on the GDPR and guidance on what businesses should be doing now to prepare.

Prevention is better than cure: mitigating risk

Human error is the biggest risk of all. It is therefore essential that employers keep their employment contracts and IT/data protection policies under strict review and communicate them clearly to employees.

Five key preventative measures:

1. Adopt a holistic approach: make cybersecurity a key part of your company strategy at all levels.
2. Know your data: identify the nature of data held; who can access it; where it is stored; the duration for which it should be kept; how it is protected; and how robust that protection is.
3. Clearly drafted policies: introduce, review and update your policies on IT systems, appropriate IT use, handheld devices and social media.
4. Train, train and train: once your policies are in place, train and educate your employees on a regular basis so that they know how to mitigate the risk of a cyber incident and what to do when they suspect one has taken place.
5. Vigilance: update your security software; filter inbound and outbound communication; encrypt sensitive information; and adopt a good password policy.

The post WannaCry: A warning for employers appeared first on blogs.

The UK Government has committed to enact a new Data Protection Act which “will ensure that the United Kingdom retains its world-class regime protecting personal data”.

What does the Bill cover?

According to the explanatory policy paper that accompanied the Queen’s Speech, the new Bill will “ensure the UK has a data protection regime that is fit for the 21st century” by:

• ensuring that the UK’s data protection framework cements the UK’s position at the forefront of technological innovation, international data sharing and protection of personal data;
• strengthening rights and empowering individuals to have more control over their personal data;
• establishing a new data protection regime for non-law enforcement data processing (implementing the Law Enforcement Directive); and
• modernising and updating the regime for data processing by law enforcement agencies.M

We already know that the biggest shake-up of data protection law in a generation is coming down the track in the form of the EU’s General Data Protection Regulation (GDPR) and the last Conservative Government made it clear that, despite Brexit, it expected GDPR to take effect in the UK on 25 May 2018 in the same way that it would take effect in all other EU member states. Indeed, given GDPR, the UK would have had to enact complementary UK legislation to supplement GDPR in areas that were left to member states, so some form of UK data protection legislation was going to be necessary in the next parliamentary session anyway.

The UK Government has said that one of the main benefits of the Bill will be to implement GDPR and, indeed, the stated aims of this new Data Protection Bill are very much in line with GDPR, but given that GDPR will take effect in the UK automatically anyway, it is not entirely clear what this new Data Protection Bill will actually do that is new.

For example, the explanatory policy paper says that the new Bill will include “a right to be forgotten when individuals no longer want their data to be processed, provided that there are no legitimate grounds for retaining it”. This right is already included within GDPR so it the intention to strengthen or modify that right? It’s not clear.

Data transfers between the UK and EU post Brexit

One of the stated benefits of GDPR is that it establishes a harmonised single legislative regime for data protection across all EU member states.

Whilst the UK will leave the EU, maintenance of that harmonised regime (albeit with some changes) would be helpful in terms of facilitating cross-border trade and allowing the sort of ‘frictionless’ transfers of personal data between the UK and EU that the Government again aspires to. If the UK is to enact specific data protection legislation that puts a UK overlay on GDPR then, depending on what it says, that may have a bearing in UK/EU negotiations as to whether personal data can be transferred freely between the UK and EU (and vice versa).

A decision by the EU to accord the UK status that allows free movement of personal data is not a formality and the European Court of Justice has struck down in the past decisions where it considers that the arrangements concerned do not afford equivalent protection to EU law.

It is encouraging at least, therefore, that the UK Government clearly sees that it will be hugely important that data protection continues to be taken seriously because impediments to the free movement of personal data between the UK and EU are likely to prove a major headache for international businesses operating within a post-Brexit UK.

With that in mind, to encourage international business to operate in the UK, it will be important to create an environment that should make that less – rather than more – likely. The continuation of the stated aim to implement GDPR should undoubtedly help.

You can keep up to date with the latest developments on data protection reform and GDPR, and download our handy guides to the GDPR on our GDPR Hub.

The post New Data Protection Bill announced in the Queen’s Speech appeared first on blogs.

The Article 29 Working Party (WP29), the grouping of representatives from national privacy regulators across the EU, has provided an update on its timetable for publishing further guidance under the General Data Protection Regulation (GDPR).

The update is set out in a press release issued following the WP29’s June meeting.

Guidance on Data Privacy Impact Assessments (DPIAs)

The WP29 expects to finalise guidance on DPIAs in October 2017. Draft guidance was issued last month.

Other guidance in the 2017 Action Plan

The WP29 has confirmed that it expects guidance on the other areas covered in its 2017 Action Plan to be adopted by December 2017. Those areas are:

• Consent
• Profiling
• Transparency
• Data breach notifications; and
• Data transfers

The update will be frustrating for organisations trying to prepare for GDPR, as regulatory guidance is key to unlocking what is required to comply with a number of key areas.

Opinion on employee monitoring

The WP29 has also adopted an opinion on employee monitoring, which will be published soon. The WP29 last issued an opinion on this in 2001, so expect a number of changes to reflect changes in technologies and working practices.

As ever, our GDPR Hub keeps up to date with the latest developments. To discuss how we can assist your organisation prepare for GDPR please get in touch.

The post Update on Article 29 Working Party guidance under the GDPR appeared first on blogs.

Following a series of court decisions earlier this year, the Information Commissioner’s Office (ICO) has issued an updated version of its code of practice on Subject Access Requests (SARs). The revised code addresses a number of difficult issues in relation to SARs, including how the rules on disproportionate effort should be interpreted.

Background

Earlier this year, the Court of Appeal in England issued its judgments in a number of SAR cases: Holyoake v CPC & Christian Candy, Dawson-Daimler v Taylor Wessing and the joint appeals of Ittihadieh v 5-11 Cheyne Gardens & Ors and Deer v Oxford University. The Court of Appeal’s judgments provided some clarity on the law and, in some instances, adopt a different approach to that taken previously by the ICO in its SAR Code.

What does the new Code say?

The Code has been updated to deal with a number of key points coming out of the Court of Appeal decisions: the scope of the disproportionate effort exception; the data subject’s motives for making the request; and the Court’s discretion to use its enforcement powers.

Disproportionate effort

Previously, the ICO’s view was that the reference in section 8(2) to disproportionate effort applied only to making available the personal data once it had been located by the data controller. The Court of Appeal disagreed. The exception has a wider application.

Taking into account the Court of Appeal decisions, the ICO has updated section 8 of the Code, The Code acknowledges that the steps controllers are required to take when responding to a SAR must be reasonable and proportionate. However, if a controller decides that it is not going to take certain steps on the basis that they are not reasonable and proportionate, it will need to be able justify that approach:

[w]e expect you to evaluate the particular circumstances of each request, balancing any difficulties involved in complying with the request against the benefits the information might bring to the data subject, whilst bearing in mind the fundamental nature of the right of subject access.

In particular:

…the burden of proof is on you as data controller to show that you have taken all reasonable steps to comply with the SAR.

If a controller considers that complying with the request may involve disproportionate effort, then the ICO expects that controllers will discuss this with the data subject to see whether the scope of the request can be refined or narrowed. If a controller does not engage in discussions with the data subject then the ICO will take this into account when dealing with any complaint about the controller’s handling of the DSAR.

Disproportionate effort and emails

The ICO has tweaked its guidance in relation to providing access to information in emails. Whereas previously the ICO said that controllers cannot refuse to comply with a SAR on the basis of disproportionate effort “simply because it would be costly and time consuming” to find information in archived emails, the ICO now acknowledges that the disproportionate effort exception may apply.

However, controllers cannot use it as the basis for a blanket refusal. Controllers must still do what is proportionate in the circumstances.

Motives behind the SAR

The ICO has also clarified its guidance to make clear that the motives behind a SAR (ie a purpose other than simply checking what information is held and whether it is correct) are not relevant. However, it is for the courts to decide whether or not to enforce compliance.

Scope of the Court’s enforcement powers

As the Court of Appeal noted in the Dawson-Daimler case, there is “nothing in the Data Protection Act or the Directive that limits the purpose for which a data subject may request his data,” but the court does have discretion in deciding whether to enforce compliance with a SAR.

The ICO has updated its guidance to incorporate the range of factors identified by the Court of Appeal as being things that a court can take into account when deciding whether or not to order an organisation to comply with a SAR. These include:

• the nature and gravity of the data controller’s breach of its obligations under section 7 of the DPA (which deals with SARs)
• the general principle of proportionality
• balancing the fundamental right of the individual right of subject access with the interests of the data controller
• prejudice to the individual’s interests
• whether there is a more appropriate route to disclosure
• where there is an abuse of process or conflict of interest

As the ICO notes, these factors do not affect the obligation of a controller to make a disclosure in response to a SAR, but instead are relevant to whether a court will decide to compel a controller to comply where it has previously refused to do so. How a court will weigh up these factors remains unclear. Organisations will therefore need to think carefully when deciding not to comply with a SAR on the basis of any of these grounds and be able to justify to a court why the court should use its discretion not to order compliance.

Where can I find the new Code?

You can download the new code of practice from the ICO’s website. Similar amendments have also been made to the ICO’s CCTV Code of Practice.

If you would like to discuss what changes you should make to your SAR procedures to take into account the Court of Appeal decisions and the revised SAR Code, please get in touch with me or your usual Brodies contact.

The post Revised guidance on subject access requests appeared first on blogs.

The Article 29 Working Party (WP29), the grouping of representatives from the various national privacy regulators in the EU, has issued an updated opinion on employee monitoring.

Background

WP29 opinions are not legally binding under EU data protection law, but do set out how the national privacy regulators (as a collective group) view how the law should be interpreted.

The WP29 last looked at employee monitoring in 2001, when it issued its original opinion. That opinion was followed up in 2002 with a working document on surveillance of electronic communications in the workplace.

The latest opinion is timely, reflecting changes in technology, the growth of things like homeworking and “Bring Your Own Device”, and the General Data Protection Regulation (GDPR), which comes into force in May 2018.

Legal grounds for processing

The Opinion emphasises that for the majority of data processing at work, consent will not be an appropriate or valid ground for processing, as the nature of the relationship between employee and employer means that consent is unlikely to be freely given.

In most cases, employers will therefore need to identify another basis for processing, such as it being:

• necessary for the performance of the employment contract;
• necessary to comply with legal obligations; or
• necessary for the legitimate interests of the employer, having regard to the impact on the rights of the individual.

In each case, the requirement is that the processing is necessary, not simply desirable. The employer will need to be able to justify its position if challenged.

Privacy impact assessments and data protection by design

When considering any new processing, employers should adopt data protection by design. For example, when issuing devices to employees, the Opinion suggests that the most privacy friendly settings should be used if tracking technologies are involved to minimise the intrusion and amount of personal data collected. The Opinion identifies the risk of “over collection” in systems, where data is collected beyond that which is necessary for the purpose.

In line with GDPR, employers should also carry out a data protection impact assessment (DPIA or PIA) to identify the risks and identify steps that can be taken to mitigate those risks. A DPIA will also help employers to comply with the obligations under GDPR to maintain records and be able to demonstrate compliance with GDPR.

You can download our handy guide to DPIAs on our GDPR Hub.

Guidance on specific scenarios

The Opinion sets out the WP29’s views on a number of specific scenarios, including:

• the use of social media during recruitment
• in-employment monitoring of social media profiles
• monitoring ICT usage at the workplace
• monitoring ICT usage outside the workplace (eg remote working, BYOD/MDM and the provision of wearable devices)
• monitoring time and attendance
• monitoring using video surveillance
• vehicle tracking
• disclosing employee data to third parties such as customers
• international transfers of HR and employee data (including cloud hosted office or HR system)

“<REDACTED> will deliver your parcel between 1307 and 1407”

Whilst the WP29’s views on many of these subjects reflect the general principles of necessity, proportionality and transparency, some sections may cause surprise. These impact not just on internal HR but wider customer service.

For example, the WP29 concludes that it would not be lawful for a delivery company that provides customers with a real time link to the deliverer’s location to also provide the name and photograph of the scheduled delivery driver for the purposes of allowing a customer to check that the deliverer is indeed the right person.

The WP29 states that it is not necessary to provide the name and photo. However, it is unclear if the WP29’s concern is with whether the purpose (allowing a customer to verify the deliverer’s identity) of the processing is in the delivery company’s legitimate interests or (having accepted that this is a legitimate interest) with whether the company’s proposed steps to enable this are actually necessary. These are quite different things. Unfortunately, the Opinion does not explain this.

Arguably, providing real time location information is the more intrusive action here (when a customer need only really know the current estimated delivery time). Again, it is unclear whether the WP29 would have an issue if the name and photo were provided without the real time location information.

Comment

As noted above, the WP29’s opinions are not binding law. They do, however, give an indication as to how the WP29’s members will consider specific areas of data protection law. As part of a privacy impact assessment, employers should therefore consult the guidance and take this into account when considering employee monitoring.

If employers decide to proceed with monitoring that is at odds with the views of the WP29, then employers should ensure that they document their approach (and the steps taken to mitigate the impact) and their reasons for proceeding in that way.

Where can I find the WP29’s opinion?

You can download the WP29’s opinion from the WP29 website.

If you would like to discuss your use of workplace monitoring and/or your preparations for the GDPR, please get in touch with me or your usual Brodies contact. To find out more about the GDPR, visit our GDPR Hub or download our Handy Guide to the GDPR for HR Professionals.

The post WP29 issues updated opinion on employee monitoring appeared first on blogs.

This week the Fundraising Regulator launched the Fundraising Preference Service (FPS). There is a lot of confusion over what the FPS is, who it applies to and what happens if charities don’t respect an individual’s preferences.

What is the Fundraising Preference Service?

The FPS is a service operated by the Fundraising Regulator. It is similar to the Telephone Preference Service or Mail Preference Service, except that the FPS is an industry led self-regulation initiative. Members of the public can sign up to the service in order to set out their wishes regarding fundraising contact – identifying any methods of contact which they do not wish to receive, or charities from whom they do not wish to be contacted.

Is it mandatory?

Yes, for charities registered in England and Wales that are registered with the Fundraising Regulator. The Fundraising Regulator considers this part of its remit to improve the image of the sector.

However, registration with the Fundraising Regulator is not currently mandatory. Charities that register are entitled to use the Fundraising Regulator’s badge on their materials. It is possible that statutory registration will be implemented in future, if industry self-regulation does not address the concerns that the Fundraising Regulator is intended to address.

Does the FPS apply to Scottish-registered charities?

No. The rules apply based on where the charity is primarily registered. Charities primarily registered in Scotland are regulated by OSCR, which has chosen not to implement the FPS. This applies where a Scottish-registered charity performs fundraising in England. However, if a charity is primarily registered in England but fundraises in Scotland, it will be required to comply with the FPS – even where the individual who has registered preferences resides in Scotland.

While the FPS does not apply directly in Scotland (and nor does the Fundraising Regulator), high standards in fundraising are expected in Scotland. Individuals can use of a new system of fundraising oversight in Scotland to raise concerns and make complaints. In addition, the powers of OSCR remain to investigate matters themselves or concerns raised by the public. For more on the new Scottish Fundraising and Adjudication Panel in this blog post.

Remember, even though Scottish charities are not required to comply with the FPS, the underlying rules on marketing in the Data Protection Act (DPA) and the Electronic Privacy Regulations apply throughout the UK. The FPS is simply a industry self-regulatory scheme that sits on top of existing laws.

Charities should also remember that the DPA will be replaced next year by the General Data Protection Regulation (GDPR), which introduces tougher rules on the use of personal data and obtaining consent to marketing. It is also expected that the Electronic Privacy Regulations will be updated at the same time. Find out more on our GDPR Hub.

How do individuals sign up for the FPS?

Individuals sign up online through a dedicated portal, which they can use to find charities by whom they do not wish to be contacted, then select the methods (whether phone, email, post or SMS) by which they do not wish to be contacted.

Can I use the FPS to stop all fundraising communication?

The service does not allow individuals to simply opt out of all fundraising contact from every charity. Users will instead be directed to the pre-existing Mail and Telephone Preference Services which do allow a total block on contact.

I am an individual living in Scotland. Can I sign up to the FPS?

Any individual within the UK may sign up to the FPS. However, as the FPS only covers charities registered in England and Wales, only these charities will be caught by the preferences you enter. Many charities which are registered in England and Wales engage in fundraising throughout the UK and these will be affected. Charities which are registered only in Scotland will not be affected.

Are charities still required to maintain their own system for managing complaints?

The FPS does not remove charities’ responsibility for managing their own complaints. The service is an addition to charities’ responsibilities and the complaints procedure may still be called upon.

What are the consequences of failing to comply with an individual’s registered preferences?

As a self-regulatory body, the Fundraising Regulator does not have the power to impose fines upon charities. Charities which fail to comply will instead be reported to the Information Commissioner’s Office and may be subject to fines or other enforcement action if the charity is found to have breached the Data Protection Act or the Electronic Privacy Regulations.

In December, the ICO fined the RSPCA and the British Heart Foundation for misuse of individuals’ personal data in relation to fundraising. Further fines to another 11 charities were issued in April this year. In addition to these fines, charities run the risk of adverse publicity and the associated reputational damage. This service was set up partly as a response to negative press generated by unrestricted fundraising in the past; it is therefore likely that breaches will incur further negative press coverage.

Where can I find out more?

To find out more about the regulation of fundraising, or your preparations for the General Data Protection Regulation, please get in touch with our Charities or Information Law teams.

The post Does the fundraising preference service apply to charities in Scotland? appeared first on blogs.

The hugely successful Scottish-based brewery, BrewDog, have built a reputation on innovative and attention-grabbing product launches and brand names. They decided to take on the Elvis Presley Estate (Estate) in a controversial trade mark dispute relating to their Elvis Juice IPA. They have been defeated at the first stage decision at the UK Intellectual Property Office, but it remains to be seen whether Elvis will leave the building (or the shelves) or fight on for a come-back tour.

At the end of last month the UK Intellectual Property Office ruled in favour of the Estate and refused BrewDog’s registration for UK trade marks for “Elvis Juice” and BrewDog Elvis Juice” for beer and brewery products. The brewers launched their grapefruit and blood orange Elvis Juice IPA in 2015 and it quickly became one of the company’s bestselling products with turnover of just under £2 million in 2016. In 2016 their trade mark applications for Elvis Juice and BrewDog Elvis Juice were opposed by the Estate, based on the Estate’s earlier European Union trade mark registrations for the words Elvis and Elvis Presley which protects identical beer and brewery products.

Readers of our blog, when the dispute was still at an earlier stage of brewing, may recall that in response to the Estate’s opposition the two founders of BrewDog announced that they had changed their christian names by deed poll to Elvis! Given that the change of names apparently happened after commencement of the trade mark opposition action and the company traded as BrewDog rather than Elvis, any potential defence to trade mark infringement claims based on honest use of their own names was never going to be a strong measure (or pint!). Perhaps it was more of a clever spin to highlight that BrewDog considered the Estate may be taking the enforcement of intellectual property rights too far when BrewDog was a prominent part of the brand name, was well-established and customers could not be confused or assume any association with “the King”.

On the other hand, trade marks are valuable guarantees and badges of origin and it is important for brand owners to take enforcement action to avoid copy cats taking a free ride or the brand becoming generic. The Estate will have wanted to protect the valuable Elvis brand and set a marker down that third parties are not free to use the Elvis name on any products.

Subject to any appeal by BrewDog, the UK IPO has refused to register BrewDog’s applications meaning that either they will have to change the product name to avoid additional claims of infringement and damages or (which seems unlikely at this point) agree a commercial deal with the Estate obtaining official permission to use the Elvis name.

The key legal issue which the IPO had to decide was whether BrewDog’s use of Elvis Juice and BrewDog Elvis Juice created a likelihood of association in the minds of consumers such that there was at least a risk that due to the use of the Elvis name the public would wrongly believe that the BrewDog product came from the Estate or was linked to it, thus creating a likelihood of confusion. Having agreed that the Estate’s earlier Elvis and Elvis Presley trade mark registrations covered identical beer and brewery products it was decided that the average consumer would consider or recall the Elvis name as the most prominent or at least equally prominent part of the Elvis Juice or BrewDog Elvis Juice names and would assume that no other trader would use such a mark other than those responsible for the Elvis mark. It was decided that the average consumer would assume that the brand Elvis Juice was from the same or economically linked source as the Elvis brand (i.e. the Estate) and so the BrewDog applications were rejected.

It is clear from the reasoning of the decision that BrewDog’s defeat was in large part due to the huge reputation and iconic status of Elvis, and the fact this wasn’t standard memorabilia products but an alcoholic beverage. Whether BrewDog now appeal the decision or use it instead to generate support among its customer base and 50,000 shareholders to turn the defeat into a positive, remains to be seen. Given the iconic status of Elvis so many decades after this death, it is hard to see how BrewDog could succeed on appeal. However, it is interesting that in the course of the opposition, the Estate dropped their claims based on them having a famous mark which was being taken unfair advantage of. Also, the earlier trade mark registrations for Elvis and Elvis Presley were only registered in 2014 and 2015. It does not appear, or at least there was certainly no evidence filed to demonstrate, that there has been any use of these marks. In the UK and in the European Union a trade mark is vulnerable to cancellation if it is not used within five years of registration. As neither mark had been registered for less than five years, such a challenge wasn’t possible or relevant at this point in time.

It is not clear that the decision would have been the same if based on other Elvis registered trade marks for goods other than beer or beer products as many consumers buy memorabilia type products as a fan rather than believing such products emanate from one official source. It will also be interesting to see whether the Estate launch beer products in the UK and/or European Union any time soon to avoid any non-use challenge. Perhaps given the product success and the need for use, some form of mediation could lead to a “Love Me Tender” resolution…or instead it may be time for Elvis to leave the BrewDog building?

It will be interesting to see how this one plays out in the media and whether it is seen as a victory for strong global intellectual property rights or provides too much of a dogged protection for big brand owners.

The post The king of beer disputes – Elvis v BrewDog appeared first on blogs.

At the weekend, the UK Government announced plans to introduce drone registration and safety awareness courses, with the aim of better regulating how drones are used in the UK. What rules currently apply to using drones in Scotland?

Background

Drones are, increasingly, a part of everyday life. They can be used for aerial photography, for delivering goods or just for fun. As the number of drones in the sky grows, it is ever more likely that they will be flying over private property.

As such, it is increasingly important that drone operators and landowners have a clear idea of their responsibilities and rights. Whilst some of the laws regulating drone use are reserved powers and governed by UK-wide laws, certain areas are regulated by Scots law.

Drone Operators

All drone operators must abide by the “Drone Code”, which is a consolidation of the relevant provisions of the Air Navigation Order 2016. This provides that drones must:

• be used safely;
• be kept within visual range of the operator;
• be flown no higher than 120m;
• keep at least 50m from persons or structures, and at least 150m from crowds or built-up areas (including not overflying these); and
• be kept away from airports and airfield flight paths.

If you are not operating your drone commercially, this is the current limit of the requirements placed upon you. If, however, you are flying as part of a commercial enterprise, there are additional duties. You must seek permission from the Civil Aviation Authority. This will involve a test of your skill at the controls. A breach of the 2016 Order is a criminal offence.

Many drones have cameras, and aerial filming and photography are popular uses for drones. Commercial operators who intend to record photographs or video footage should be aware of their duties in terms of the Data Protection Act (and, from May 2018 the General Data Protection Regulation).

The Information Commissioner’s Office has published guidelines for this purpose. The Civil Aviation Act 1982 imposes extra duties upon operators of this type of drone. In particular, operators should try to avoid “collateral intrusion”, i.e. the inadvertent storing of images of individuals while filming another target. Operators may wish to ensure that their equipment is not set to continuously record while active.

Drones and Scottish land access rules

Looking at this issue from the other direction, what rights do landowners have to prevent drones from being used on or over their land?

Although not certain, it is likely that the use of drones for leisure (i.e. non-commercial) purposes would fall within the scope of “recreational purposes” in terms of the Land Reform (Scotland) Act 2003 and be subject to the Scottish Outdoor Access Code. In that respect, landowners have the same powers to prevent drone operators from flying from or over their land as they do to prevent hikers traversing it. This is, of course, very little power indeed.

As (albeit small) aircraft, drones fall within the scope of the Civil Aviation Act 1982, section 76(1) of which provides that no action of trespass or nuisance may arise solely out of the flight of an aircraft over property (whether for commercial or leisure purposes). This is subject to the flight being at a reasonable height and complying with the Air Navigation Order.

There is relatively little guidance as to what constitutes a ‘reasonable’ height (previous cases related to aircraft carrying out aerial photography), but it will depend on the facts as the court must have regard to all the circumstances of the case in reaching its decision.

This does not mean that drone operators are free to do whatever they wish in the airspace above private land, however. Where the drone is operated in an unreasonable manner or, for example, is emitting noxious chemicals, or is conducting constant surveillance of a house and its occupants, this behaviour may still be enough to ground an action in nuisance.

Use that does not comply with permitted use under the 2016 Order or is below a reasonable height will need approval.

Landowners may also attempt to limit drone use contractually through terms and conditions of access (for example, for buildings or sites where there is paid for access) – either through direct restrictions or through provisions dealing with intellectual property rights in photos and videos. Whether such terms are effective will (again) likely depend on the facts, how the terms are communicated and whether as a matter of law those terms were capable of binding a drone operator who never physically enters the premises.

Conclusion

As is often the case with technology, the rise of the drones has rather stolen a march on the development of the law.

Whether the Government’s proposals will help improve the safe use of drones, remains to be seen.

In the meantime, operators should take care to abide by the regulations that currently apply and rules or procedures used by landowners to govern access. Landowners should be aware of the rights of drone operators to access, and to overfly, their land and think carefully about how they seek to control access to ensure that it is lawful and effective.

The post Using drones in Scotland appeared first on blogs.

The Department for Culture, Media and Sport (DCMS) has published a Statement of Intent in relation to the proposed Data Protection Bill, which was announced in the Queen’s Speech. The Statement follows a Call for Views conducted by DCMS prior to the General Election.

What’s been announced?

Contrary to media coverage of the Statement, today’s announcement contains little that is new.

Many of the measures announced in the Statement and the accompanying press release are not “proposals”. They form part of the General Data Protection Regulation (GDPR) and will come into force in the UK automatically on 25 May 2018. Indeed, as an EU Regulation in force at the date of Brexit, those measures would be imported automatically into UK law upon Brexit under the European Union (Withdrawal) Bill.

What the DP Bill will do is introduce national legislation dealing with the various member state derogations under the GDPR. The Statement provides some information on how the Government intends to approach these.

UK derogations under the GDPR

The DCMS Call for Views asked for feedback on how the UK should approach the various national derogations under the General Data Protection Regulation (GDPR). In the Statement, DCMS sets out its proposed approach to some of these:

• The UK will lower the digital age of consent to 13. When processing on the basis of consent, providers of online services will need the consent of a parent or guardian when obtaining consent from children under the age of 13.
• The UK will maintain existing rights under the Data Protection Act to process personal data relating to criminal convictions and other special (sensitive) categories of personal data. This means, for example, that employers will still be able to carry out criminal records checks.
• The UK will legislate to enable organisations to carry out automated decision making for certain legitimate functions, such as automated credit reference checks prior to making an offer of a loan.
• The UK will also legislate to maintain the existing provisions in the DPA in relation to freedom of expression in the media and research and archiving.

As trailed in the papers accompanying the Queen’s Speech, the DP Bill will also create two new criminal offences and one expanded offence:

• an offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data
• an offence of altering records with intent to prevent disclosure following a subject access request
• widening the offence of unlawfully obtaining data to include those who retain data against the wishes of the data controller (even if initially obtained lawfully)

Full details of the responses received to the Call for Views can be downloaded from the DCMS website (.zip, 27MB).

What else will the DP Bill do?

The DP Bill will repeal the Data Protection Act 1998. It also appears that it is intended to deal with the mechanical issues arising out of the importation of GDPR into UK law post Brexit – for example, making clear that the law applies to all personal data, not just EU-derived personal data.

What is not clear from the Statement is how some of these measures will work mechanically. Will there be further legislation to deal with data protection post-Brexit? Will the measures be suspensive upon Brexit occurring? It is not clear. We will need to wait until the draft Bill is actually published.

Implementation of the Law Enforcement Directive

The final thing to be dealt with by the DP Bill is the UK implementation of the Data Protection Law Enforcement Directive (DPLED). The DPLED sits alongside the GDPR and deals with processing of personal data by the police, prosecutors and other agencies involved in law enforcement.

As the DPLED is a Directive, not a Regulation, it must be implemented through member state legislation. The deadline for implementation is 6 May 2018.

Isn’t it a bit confusing having the law set out in the GDPR and the DP Bill?

In a word, yes.

The media coverage over this morning’s announcement and the Government’s “proposals” shows how much confusion exists over the GDPR. Individuals and organisations may be under the misapprehension that many of the things mentioned in the Statement of Intent are UK initiatives and will only apply once the DP Bill has come into force. That is not the case.

This muddies the waters in relation to efforts to increase awareness of the GDPR and the steps that organisations need to take to prepare. Rather than continuing to focus on raising awareness of GDPR, we will now be talking about two pieces of legislation, the GDPR and the DP Bill, that are largely identical in effect.

If the DP Bill is also intended to deal with data protection law post Brexit (as the Statement seems to imply), then there is also a risk that legislation on important national derogations under the GDPR is held up whilst Parliament debates what data protection law in the UK looks like post Brexit. That is not helpful to organisations trying to prepare for the GDPR and looking for clarity and certainty as to how the UK will approach those derogations.

It is not clear what form the DP Bill will take, but the GDPR is 88 pages long. Adding in the sections dealing with national derogations and implementation of the DPLED (itself 43 pages long), then it is clear that the DP Bill could be a substantial piece of legislation.

In my view, it would have been better for Parliament to deal first with the laws required to implement derogations under the GDPR and to implement the DPLED and only once those laws and GDPR had come into force to then deal with what will happen post-Brexit.

When will the DP Bill be published?

It is expected that the Government will publish the draft DP Bill in early September. In the meantime, visit our GDPR Hub to find out what you can be doing to prepare.

The post DCMS publishes statement of intent on Data Protection Bill appeared first on blogs.

The Government’s latest Brexit position paper covers transfers of personal data between the UK and the rest of the EU post-Brexit. As with other position papers published by the Government, the paper provides an outline of the Government’s preferred approach and is important reading for any organisation that transfers personal data between the UK and other countries – whether elsewhere in the EU or beyond.

For anyone that has been following this topic, there is little in the way of surprises in the data protection paper. In summary:

• the Government is seeking a finding of adequacy from the EU in respect of UK data protection law
• the Government plans for the UK to continue to rely upon the EU’s existing adequacy decisions, to ensure a smooth transition for data transfers between the UK and third countries such as Canada, Switzerland and to the US via the Privacy Shield Scheme
• the Government would like to discuss a model whereby the Information Commissioner’s Office is “fully involved in future EU regulatory dialogue”

Findings of adequacy

As the position paper notes, the finding of adequacy is by far the most preferable basis for enabling lawful transfers of personal data between the rest of the EU and the UK. In the absence of a finding of adequacy, data controllers would need to put in place Standard Contractual Clauses or use Binding Corporate Rules or approved Codes of Conduct, leading to additional cost and administrative complications for organisations. This would not deliver on the Government’s desire for “friction free” data transfers.

It is therefore unsurprising that the Government is advocating a finding of adequacy.

Adequacy findings can take some time to be issued, and there is a need to provide organisations with certainty and stability in relation to current data transfer arrangements. The Government is therefore pushing for at least an interim adequacy finding on the basis that the General Data Protection Regulation will enter into UK domestic law under the EU Withdrawal Bill, pending discussions on fuller arrangements.

While the fact that the EU data protection law will have applied up until the date of Brexit should make things simpler, it remains to be seen whether controversial legislation such as the Investigatory Powers Act impacts on whether a finding of adequacy is forthcoming. It is somewhat ironic that one of the parties to bring the original challenge to UK investigatory powers legislation which led to last December’s decision from the CJEU was a certain David Davis, now Secretary of State for Exiting the EU.

UK adoption of existing EU findings of adequacy

Noting the need to provide certainty and stability to organisations that currently transfer personal data between the UK and countries outside the EU, the suggestion that the UK adopt the EU’s existing findings of adequacy is sensible. While the position paper is silent, I presume that the UK would also seek to adopt the current Standard Contractual Clauses approved by the Commission for international data transfers.

What is more interesting is how the UK would respond if an EU supervisory authority or court were to strike down, say, the EU-US Privacy Shield or a finding of adequacy in respect of a particular country.

The ICO’s participation in future regulatory dialogue

Both the Government and the ICO have suggested that the ICO would continue to work closely with other supervisory authorities post Brexit, and the position paper proposes exploring mechanisms to make this happen.

The consistency mechanism under the GDPR requires supervisory authorities such as the ICO to operate in a consistent manner across the EU and it seems likely that one of the reasons for the prolonged delays in GDPR guidance from the Article 29 Working Party (WP29)/European Data Protection Board (EDPB) is the need to reach consensus across 28 supervisory authorities, each of whom have historically taken a different approach to interpreting EU data protection law.

A loss of UK influence going forward may lead to an approach that is more aligned with the views of those supervisory authorities that have historically been pro-individual. That, in turn, may lead to post Brexit differences in interpretation arising between the UK and the rest of the EU (which in turn may impact on any finding of adequacy in respect of the UK).

It is therefore understandable that the Government would like to ensure that the ICO still has a seat at the table.

On the other hand, the position paper states that the “UK Government will continue to have responsibility for the content and direction of data protection policy and legislation within the United Kingdom.” Would the EU would permit the ICO to have that seat at the table if the UK did not agree to be bound by the WP29/EDPB guidance?

That, as with many things associated with Brexit, is likely to be a matter of politics.

Find out more

You can download the Government’s position on the Gov.uk website.

Find out more about the GPDR on our GDPR Hub.

The post Government publishes position paper on Brexit and data protection appeared first on blogs.

The European Commission has published a position paper today setting out the main principles (or wish list) of the European Union on European wide intellectual property rights post Brexit.  These are valuable assets such as EU trade marks, Community Design Rights and protected geographical indications, all of which at present have unitary protection across the EU member states. The impact of the UK’s withdrawal from the EU creates uncertainty for the owners of such rights – for both UK and EU member state businesses.

What does the paper do?

The paper sets out the high level principles which the EU negotiators will present to the UK in the context of the ongoing Brexit negotiations. The paper recognises that Brexit creates uncertainty for both UK and EU member state businesses and aims to ensure that existing EU wide rights will remain protected in the same way in the UK post Brexit and that any pending applications for such rights at the time of Brexit will be entitled to equal protection in the UK post Brexit.

Good or bad for IP owners?

The paper sets out commercially sensible and desirable goals which should be welcomed by IP owners – but as ever the success of the negotiations can only be measured once the details are agreed.

The key negotiation principles

• Owners of existing EU wide IP rights should post Brexit automatically have a UK equivalent IP right for no additional financial cost and with minimal administrative burdens. So a EU trade mark owner should have a UK trade mark offering the same legal protection post Brexit.
• If such UK protection requires new UK legislation to create or recognise such a right in the UK- that needs to be in place at the withdrawal date. This may for example result in a new UK system for UK protected geographical indications.
• For EU wide IP applications which are pending at the time of Brexit, the applicants should be able to seek protection in the UK from the same date as their pending EU application to ensure no rights are lost.
• Any IP rights which were exhausted (meaning IP owners can not object to further commercial activities) in the EU before the withdrawal date should remain exhausted in both the UK and other EU member states.

The post Intellectual Property – EU wishes post Brexit appeared first on blogs.

The Scottish Parliament has passed the Contract (Rights of Third Parties) (Scotland) Bill.

As has been noted in previous blogs, reform of third party rights under Scottish contract law is long overdue. The Bill addresses a lack of clarity about the scope of third party rights in relation to contracts.

These rights were unclear and inflexible and meant that Scots law wasn’t seen as a particularly friendly law under which to enter into contracts and other commercial arrangements. In contrast, English law was reformed in 1999 and has provided a much clearer framework. As a consequence, a number of Scottish organisations opt to contract under English law rather than Scots law.

The reforms will be welcomed by businesses and lawyers alike and it is hoped that it will enhance the commercial attractiveness of Scots contract law for commercial transactions. The reforms implement recommendations from the Scottish Law Commission.

What is changing in relation to third party rights in Scotland?

The current rules will be replaced with a new, more flexible system of regulating third party rights under contracts, on a par with that introduced in England and Wales nearly 20 years ago.

These reforms will make it much easier for businesses to contract for goods and services on a group-wide basis under Scots law, simplifying contracts and reducing uncertainty around enforcement. The Act will remove uncertainty and help ensure that contracts do what the parties intend them to do, and it will also bring benefits for consumers in relation to, for example, the enforcement of insurance policies.

The new laws will clarify the rights of individuals or organisations that are not the contracting parties to a contract, but are intended to benefit from it. It makes doing business easier because third party rights, put simply, provide a mechanism by which businesses with large corporate structures can contract more simply by entering into one contract that benefits several companies within their group, rather than having to strike many separate agreements.

Third party rights can be created where there is an undertaking by a contracting party, and the intention of the contracting parties (whether expressly or implicitly) is to confer rights in respect of that undertaking on a third party. As in England, parties in Scotland will be able to create rights in favour of specific third parties or groups of third parties.

What should I be doing to prepare?

In preparation for the new laws coming into force, organisations should update their template contracts to reflect the new rules. Organisations will also want to look at their existing contractual arrangements to consider how the new rules will impact on those and whether they should be updated.

For future contracts, understanding the new law will be critical to ensure that the drafting meets the requirements of the legislation where third party rights are to be created, and that such rights are not created unintentionally. Those drafting contracts will also need to take care in determining what rights the contracting parties are to have to cancel or modify any third party rights created once they have been notified to the third party who is to benefit from them.

When will the new laws come into force?

The Bill is expected to receive Royal Assent in the coming weeks. The Scottish Government has not yet provided an anticipated commencement date for the Act coming into force, but it is expected that it will come into force later this year.

Where can I find a copy of the new Act?

You can download the final Bill from the Scottish Parliament website.

To discuss how the Act will impact your contracts, and what you should be doing to prepare, please get in touch with me or your usual Brodies contact.

The post Scottish Parliament passes reforms of third party rights under Scots contract law appeared first on blogs.

The first ever truly pan EU patent system, the new Unitary Patent Court (‘the UPC’), is one step closer to becoming a reality as a result of the Scottish Parliament Justice Committee deciding to approve an Order today.

The UPC has taken a long time to get to this stage (over 25 years ) and had been set to go live later this year. It is intended to improve the current European patent system under which parties have to litigate patent disputes in individual national courts in the relevant member state. This is costly and can lead to inconsistent decisions. In contrast, UPC enforcement and validity actions will be in one single court and will take effect in all 25 participating EU member states. This should to make it easier, less expensive and more efficient to obtain and enforce patents right across the EU.

The prospect of Brexit cast the UK’s membership of the UPC into doubt. Before the UPC can come into force, both the UK and Germany must still ratify it. The UK Government indicated last November that it will ratify the UPC, which made it clear that it wishes the UK to remain a party to it post Brexit.

A draft Statutory Instrument (The Unified Patent Court (Immunities and Privileges) Order 2017) in the UK Parliament (laid on 26 June 2017, reported here) is awaiting debate in the House of Commons (which is currently in recess, returning on 9 October). However the Scottish Parliament also had to give effect to the necessary legislation.

This takes the shape of a draft Statutory Instrument (The International Organisations (Immunities and Privileges) (Scotland) Amendment (No. 2) Order 2017 . The International Organisations (Immunities and Privileges) (Scotland) Amendment (No. 2) Order 2017. The Scottish Parliament’s Delegated Powers and Law Reform Committee (DPLR) has already considered the draft Statutory Instrument (’the SI’) and  passed it at that stage. The next step was for the Justice Committee to consider it and make a recommendation. The UK and the Scottish Orders are both required to be passed in order to give effect to the Protocol on Privileges and Immunities of the UPC which in turn will allow the UK to ratify the UPC Agreement. The Scottish order was debated today and was approved.

Subject to final Parliamentary approval this gives the green light for the UPC to go further and avoids the difficulties that could have resulted if the SI had been rejected – not least that the UK could not ratify meaning the whole UPC project could have been put at risk.

On the whole this must be good news for Scotland and the UK. Scottish SME’s in the tech and life sciences sectors should stand to benefit as they will be able to participate on a pan EU scale at what are hopefully going to be affordable costs. As such, it should avoid them having to continue to  rely on the old more cumbersome and expensive EU patent system in order to gain their desired level of patent coverage in the EU and the UK (post Brexit).

The post Scottish Parliament helps paves way for new pan EU Unitary Patent Court appeared first on blogs.

The U.K. Regime for unjustified threats of legal proceedings for alleged IP infringement has undergone major surgery but will this make it easier for   IP owners to stop infringers?

Key provisions of the Intellectual Property (Unjustified Threats) Act 2017 (“the Act”) come into force on 1 October 2017, bringing some long overdue reforms to the unjustified threats regime in the UK.

The law relating to threats was originally devised to protect downstream players from unjustified threats of intellectual property (“IP”) infringement action. These provisions were considered necessary to prevent rightsholders from making such threats against the often smaller sellers and distributor (“secondary infringers”) in the supply chain who may be innocent or not have the resources or expertise to challenge the claim. They allowed such aggrieved parties to sue  the rights owner for injunctive relief or damages. However the resultant legislative framework led to many problems in practice. It could even result in the undesirable situation where rights holders were discouraged from engaging in any correspondence with potential infringers for a fear of being sued for unjustified threats.

The Act seeks to deal with the main gripes and criticisms relating to the previous regime whilst maintaining the balance between the interests of rightsholders and parties that may be subject to unjustified threats. In so doing it tries to clarify what rightsholders can say in correspondence to alleged infringers, sets out the circumstances where communications with secondary infringers are permissible and introduces exemptions from liability for professional advisers under certain circumstances.

What is a threat?

To recap, a communication is considered to be a threat if the communication would be considered by a reasonable person in the position of the recipient to relate to an existing IP right and indicate that proceedings were going to be raised in respect of it. This common law definition of what constitutes a threat has now been set out in the Act.

a communication is considered to be a threat if the communication would be considered by a reasonable person in the position of the recipient to relate to an existing IP right and indicate that proceedings were going to be raised in respect of it

For example, if a patent holder writes a letter threatening patent infringement proceedings to a seller of an allegedly infringing product, this threat may be considered actionable and the seller could raise an action for unjustified threats of patent infringement as a result.

What is changing?

The Act seeks to address some of the failings under the existing legislative regime and introduces the following changes:

• The Act defines “permitted communications” which are communications that can be made without being considered an actionable threat.  This includes certain communications to secondary infringers that would previously have been considered threats.  The Act further empowers the court to treat any other purpose as a “permitted purpose” if it considers it is in the interests to do so.
• The Act harmonises the threats provisions by bringing the law as it relates to threats for trade mark and design right infringement into line with the law relating to unjustified threats of patent infringement proceedings. For all three IP rights it is now clear that a threat can be made against a primary infringer (ie manufacturer/ importer) for secondary infringements such selling or distributing infringing articles. Previously such communications to primary infringers for secondary infringement in relation to trade marks and designs would be considered actionable threats, but under the Act this is no longer the case.
• The Act now applies to threats in relation to acts carried out in the UK. Previously, the threats provisions related to a threat of legal proceedings in the UK. However, under the Act this has been widened to cover acts done in the UK even  if the proceedings might be raised elsewhere. This wording was introduced to cover the new Unitary Patent and has the effect of capturing any acts that apply to the UK.
• Under the old regime action for unjustified threats could be raised against the party making the threat or their professional advisers. This had resulted in professional advisers often seeking an indemnity from their clients when sending letters that could have resulted in threats action. This and the threat to sue the adviser could drive a wedge between  client and its lawyer and could be a tactic deliberately employed by a shrewd alleged infringer’s legal reoresentative. The Act now excludes liability for professional advisers although this only applies where the communication clearly states the adviser is acting on client instructions and identifies the client in those communications.

Conclusions

The Act does bring in some welcome changes to the unjustified threats regime in the UK not least some consistency of approach as between the different those of registered IP. However it remains complex and no doubt will need to be tested in practice and litigation brought to clarify its effect.These changes should however encourage greater pre-action correspondence thus avoiding unnecessary court action. They should help redress the balance between rightsholders and potential infringers whilst providing some clarity as to the types of communication that can be made without risking an action for unjustified threats. These changes are laudable however the legal landscape is still far from straightforward in relation to threats, and advice should always be sought to ensure to avoid being unwittingly dragged into a threats action.

The post Unjustified threats – easier to justify? appeared first on blogs.

Intellectual Property (IP) is often the most important and valuable asset of a business. IP exists in many forms such as brand names, inventions, manufacturing processes, confidential information and product or industrial designs. Taking steps to identify IP assets and then protecting and enforcing the rights in these is vital to maintain and enhance their value, and competitive edge and value to help ensure that revenue streams are maximised.

Scotland is an IP owner friendly and efficient venue to enforce IP rights and to resolve IP disputes. Scotland is an independent legal jurisdiction within the UK with its own court system. There are designated Scottish IP judges and distinct commercially focussed IP court rules.

Although IP law is in essence the same in Scotland as in the rest of the UK, there are key differences in Court enforcement practices and procedures.

In many cases of IP infringement, Scotland will be the only or the most appropriate jurisdiction in which to take action and can also be the optimum UK forum for ensuring that all IP infringements are caught and stopped. It is important that IP owners and their advisers are aware of and consider Scotland as a valuable dispute forum. There are strategic and commercial advantages to enforcing IP rights in Scotland.

• Wide Protection – A Scottish court can deal with IP infringement if the infringer is based in Scotland, has a place of business in Scotland, or the infringing activity is taking place or is threatened to take place in Scotland. If the infringer has its registered office in Scotland, any order of the Scottish court has automatic effect throughout the UK and, depending on the nature of IP in question, possibly throughout Europe too. An English Court order obtained against a Scottish based infringer will  not stop infringing activities in Scotland.

• Interim interdict (injunction) – These are available quickly and are key weapons in the fight against IP infringers, often leading to a swift global settlement. In certain circumstances interim interdicts can be granted without advance notice to the alleged infringer. There is no equivalent to the English Civil Procedure Rules in Scotland. There is also no requirement to give contractual cross-undertakings as pre-condition for grant of interim interdict.

• No automatic disclosure – There is no automatic discovery or disclosure of evidence. The scope of any disclosure is usually narrow, optional and by application. This can offer significant time and cost savings.

• Efficient IP case management Court rules –  The rules make litigation as swift and as cost efficient as possible. From the outset the judge will focus on the real issues in dispute and move the case towards a swift final hearing, often within 6 – 9 months of raising the action.

• Specialist IP Judges  – The IP judges have built up broad experience in resolving all forms of IP disputes and they have developed a track record of delivering commercial and common sense rulings.

• Caveats protect against ex parte interdicts – Caveats provide advance notice of interim orders such as interim interdicts being granted without notice.   Caveats should be filed where there is any hint of a dispute with a Scottish Connection. Often parties outside of Scotland may have engaged in pre-action correspondence about a dispute and parties are caught out by the grant of an interim interdict in the absence of a caveat being filed.

• Publicity – Taking court action in Scotland generally attracts less publicity than can be the case in other jurisdictions. This can be advantageous if a party wishes to minimise any press coverage of raising an action and it can operate “under the radar”.

• Surprise element – Taking court action in Scotland may take the infringer by surprise and involve them being forced to litigate in a court which is not familiar to them, which may encourage a swifter resolution.

• Costs – The cost of issuing a Scottish Action in the Court of Session is approximately £300 whatever the value of the claim and the level of adverse costs exposure are generally around 50% of the other party’s costs.

If you are thinking about protecting your IP assets in Scotland, or want to discuss the benefits of doing so please contact Robert Buchan at robert.buchan@brodies.com.

The post Benefits of protecting your IP in Scotland appeared first on blogs.

The General Data Protection Regulation (GDPR) introduces new rules in relation to certain kinds of automated decision making and profiling. Earlier this week, the Article 29 Working Party published its draft guidance on how those rules should be interpreted.

What is automated decision making and profiling?

Automated decision making and profiling are two separate, but often interlinked concepts.

• Profiling is a form of automated processing of personal data used to analyse or predict matters relating to an individual. For example analysing an individual’s performance at work, financial status, health, interests or location.
• Automated decision making is the ability to make decisions without human involvement. In practice, profiling can often be a precursor to automated decision making.

Profiling and automated decision making can be used in three ways:

• General profiling – where individuals are segmented into different groups, based on data analysis
• Decision-making based on profiling – where a human makes a decision based on profiling
• Solely automated decision making – where an algorithm makes a decision, with no human intervention

General prohibition on certain types of automated decision making

Under Article 22(1) of the GDPR, decisions based solely on automated decision making which produces legal effects or similarly significantly affects an individual are prohibited unless:

• It is necessary for the performance of or entering into a contract;
• It is authorised by law; or
• It is based on the data subject’s explicit consent

Automated decision making that involves special categories of personal data, such as information about health, sexuality, and religious beliefs, is only permitted where it is carried out on the basis of explicit consent or where it is necessary for reasons of substantial public interest, such as fraud prevention and operating an insurance business.

Necessity is interpreted narrowly, and organisations must be able to show that it is not possible to use less intrusive means to achieve the same goal.

Further regulatory guidance on what constitutes “explicit” consent is expected in due course. As with general consent under the GDPR, any consent must be freely given, unambiguous, specific and informed.

What is meant by “legal effects” or “similarly significantly affects”?

“Legal effects” are things that have an impact on an individual’s legal rights or affect a person’s legal status or rights under a contract. Examples include:

• Being entitled or denied benefits such as housing or child benefit
• Being refused entry at a national border
• Automatic disconnection from a mobile phone service because an individual forgot to pay their bill

“Similarly significantly affects” means decisions that have non-trivial consequences, such as:

• Automatic refusal of an online credit application
• Automated decisions about credit limits, based on analysis of spending habits and location
• E-recruiting without any human intervention
• Certain types of targeted advertising
• Online profiling that leads to different individuals being offered different pricing

In practice, this will require an analysis of how automated decision making and profiling is used and the consequences of that for the individual.

Can I get round the restrictions on by just having a human nominally supervise the decision?

No. Any human intervention must be meaningful. The individual must analyse all available data and have the authority and competence to change the decision.

What do I need to tell individuals?

Where decisions are made solely using automated decision making, organisations must:

• tell the individual that it is using automated decision making for these purposes;
• provide meaningful information about the logic involved (for example by explaining the data sources and main characteristics of the decision making process); and
• explain the significance and envisaged consequences

The Article 29 Working Party recommends that these steps are followed whenever automated decision making is used, as this can help with ensuring that the processing is carried out fairly.

Safeguards and transparency

Individuals must be told when a decision has been taken solely using automated decision making and they must have the right to request a review of the decision. The review should be .by a person with appropriate authority and capacity to change the decision and should involve a thorough review of all relevant data and any additional information provided by the individual.

Organisations using automated decision making should also carry our regular reviews and use appropriate procedures to prevent errors.

Data Protection Impact Assessments

When considering using automated decision making and profiling, organisations should assess the risks using a data protection impact assessment (PDF). Conducting a DPIA will help organisations show that appropriate measures have been put in place to mitigate those risks and help demonstrate compliance with the GDPR.

Organisations should also remember that any use of automated decision making and profiling must comply with the general principles in the GDPR in relation to fair and lawful processing and the requirement to provide individuals with a privacy notice. Such processing will also be subject to the general rights of individuals under the GDPR, including the right to object to certain types of processing (including direct marketing), the right of rectification and the right to erasure.

Where can I get more information?

The Article 29 Working Party’s draft guidance on profiling can be downloaded from the Article 29 Working Party website. The draft guidance is open for comments until 28 November 2017.

To find out more about the GDPR or get in touch, please visit our GDPR Hub.

The post Profiling and automated decision making under the GDPR appeared first on blogs.

The first ever truly pan EU patent system, the new Unitary Patent Court (‘the UPC’), is one step closer to becoming a reality as a result of the Scottish Parliament  deciding to approve an Order today.

As previously reported a draft Statutory Instrument (The International Organisations (Immunities and Privileges) (Scotland) Amendment (No. 2) Order 2017) was considered and approved  on 26^th September 2017 by the Scottish Parliament’s Justice Committee. As such it required next to be given final Parliamentary approval to come into effect. The  Scottish Order ( as well as the equivalent English one  (The Unified Patent Court (Immunities and Privileges) Order 2017) requires to be passed in order to give effect to the Protocol on Privileges and Immunities of the UPC which in turn will allow the UK to ratify the UPC Agreement.

The Scottish order was debated by the Parliament today and given final and almost unanimous approval. This gives the green light for the UPC to go further and avoids the difficulties that could have resulted if the SI had been rejected – not least that the UK could not ratify meaning the whole UPC project could have been put at risk.

The UPC has taken a long time to get to this stage (over 25 years ) and had been set to go live later this year. It is intended to improve the current European patent system under which parties have to litigate patent disputes in individual national courts in the relevant member state. This is costly and can lead to inconsistent decisions. In contrast, UPC enforcement and validity actions will be in one single court and will take effect in all 25 participating EU member states. This should to make it easier, less expensive and more efficient to obtain and enforce patents right across the EU.

The prospect of Brexit cast the UK’s membership of the UPC into doubt. Before the UPC can come into force, both the UK and Germany must still ratify it. The UK Government indicated last November that it will ratify the UPC, which made it clear that it wishes the UK to remain a party to it post Brexit.

Once again this must be good news for Scotland and the UK as a whole.  Scottish SME’s in the tech and life sciences sectors should stand to benefit as they will be able to participate on a pan EU scale at what are hopefully going to be affordable costs. As such, it should avoid them having to continue to rely on the old more cumbersome and expensive EU patent system in order to gain their desired level of patent coverage in the EU and the UK (post Brexit).

The post Scottish Parliament approves order paving way for the new EU Unitary Patent Court appeared first on blogs.